If you have not heard about cybersecurity online, in print, or on the news in the last 10 years, exactly how safe are your customers? Cybersecurity has become a serious topic for businesses and consumers. And unfortunately, cyber threats are set aside in favor of other initiatives and become a bigger problem in the long run.
Creating an initial and ongoing cybersecurity plan requires effort. Best practices are chosen, an assessment is performed, recommendations and gap analysis determine resolution, a project becomes implemented, rinse, and repeat. It is like a Technology Alignment Manager (TAM) onsite assessment with an emphasis on securing Personal Identifiable Information (PII) from malicious threats.
To maintain the security of a customer—and their customers—there are three areas to understand: Threats, Exploits, and Vulnerabilities.
- A Threat is a person or thing likely to cause damage or danger intentionally or unintentionally. Understanding who, what, and where threats originate assists in reducing the risk of a breach.
- An Exploit is a method of circumventing or taking advantage of a bug to cause unintended behavior to occur. These are often discovered and used by threats to gain access to software and systems.
- A Vulnerability is a bug or defect that presents a weakness and exposes it to a threat. These allow unauthorized actions to execute within a system to access confidential information.
The three areas are summed up in a simple sentence: Threats use Exploits to attack Vulnerabilities. Cybersecurity requires detailed attention to all three areas to protect clients. Focusing on one area temporarily relieves risk and is not a permanent solution. Every customer needs a cybersecurity assessment regardless of their industry. Protecting company data is critical and executing the minimum requirements is the least a Technology Success Practice (TSP) can do for its customers.
As of this writing, there are a few templates in our myITprocess software that are available to assist with a company-wide cybersecurity assessment.
- NIST Cybersecurity Framework (CSF) 1.1
- NIST 800-171
- CIS Controls 7.1
- UK Cyber Essentials
There are many templates available within myITprocess, but this set has particular advantages over others for a general cybersecurity assessment.
- They are easy to interpret. Many regulations and statutory requirements come directly from the law. It takes a bit of translation to make them understandable for a TAM, vCIO, and the customer.
- They are industry- and technology-neutral best practices. No specific hardware, software, or service comes recommended by name. This is due to the varying risks different businesses face in their industry.
- In comparison, they are easy to deploy and maintain. Each of the templates has minimum requirements with maximum effectiveness. Allowing a TAM to maximize their assessment with fewer questions makes a recurring audit workable.
Because these templates are not tied to one industry, they are usable for almost any customer. But take that statement lightly; Industry-specific regulations must follow their own set of rules. For instance, a government contractor must follow NIST 800-171, and performing a CIS Controls 7.1 assessment in its place is not advisable.
There is a lot of flexibility for Technology Service Providers to mix and match questions and categories to fulfill a clear-cut need. Vendor- and technology-neutral guidelines contribute to customized assessments by focusing on risk mitigation and not which brand to use.